Data path (how it flows)
Typical flow:- Network device → syslog sender (UDP/TCP)
- Syslog collector/ingestion → Graylog (inputs/streams/pipelines)
- Routed/normalized events → Wazuh Indexer / OpenSearch-backed storage (tenant-aware)
- Graylog alert definitions →
gl-events*→ CoPilot Incident Management → Alerts - Operator workflow → Cases
The key requirement in multi-tenant setups is tenant-aware routing.
Vendor/device guides
Success criteria
- Syslog events are arriving
- You can identify the device/source
- Events are routed/tagged to the correct customer
- You can build at least one alert on top of the data (optional)
Starter alerts (generic)
These are useful across most firewall/device syslog sources:- Excessive denies/drops from a single source IP
- Inbound connections to sensitive ports (RDP/SSH/VPN admin)
- New admin login or configuration change event
- Threat/UTM events (if your device emits them)
Troubleshooting
- Validate the device is sending to the correct IP/port
- Confirm the collector is listening and receiving
- Confirm parsing/extraction fields exist (vendor format)
- Confirm routing rules / customer association